Why Using WhatsApp Is Dangerous

Why Using WhatsApp Is Dangerous

A few months ago I wrote about a WhatsApp backdoor that allowed hackers to access all data on any phone running WhatsApp [1]. Facebook, its parent company, claimed at the time that they had no proof the flaw had ever been used by attackers [2].

Last week it became clear that this backdoor had been exploited to extract private communications and photos of Jeff Bezos – the richest person on the planet – who unfortunately relied on WhatsApp [3]. Since the attack seemed to originate from a foreign government, it is likely that countless other business and government leaders have been targeted [4].

In my November post, I predicted this would happen [5]. The United Nations now recommends its officials remove WhatsApp from their devices [6], while people close to Donald Trump have been advised to change their phones [7].

Given the gravity of the situation, one would expect Facebook/WhatsApp to apologize and pledge not to plant backdoors in their apps going forward. Instead, they announced that Apple, not WhatsApp, was to blame. Facebook’s vice president claimed that iOS, rather than WhatsApp, had been hacked [8].

If you follow my blog, you know I am not exactly an Apple fanboy [9]. iOS devices have loads of privacy-related issues. But this was not one of them – for two reasons:

1) WhatsApp’s “corrupt video” vulnerability was present not only on iOS, but also on Android and even Windows Phone devices. Meaning, on all mobile devices with WhatsApp installed.

2) This security fault was not present in other messaging apps on iOS. Had Jeff Bezos relied on Telegram instead of WhatsApp, he wouldn't have been blackmailed by people who compromised his communications [10].

Consequently, the issue was not iOS-specific, but WhatsApp specific.

In their marketing, WhatsApp uses the words “end-to-end encryption” as some magic incantation that alone is supposed to automatically make all communications secure [11]. However, this technology is not a silver bullet that can guarantee you absolute privacy by itself.

Telegram rolled out end-to-end encryption for mass communication years before WhatsApp followed suit, and we’ve been mindful not only of the strengths, but also the limitations of this technology. Other aspects of a messaging app can render end-to-end encryption useless. Below are three examples of what can go wrong.

First, there are backups. Users don’t want to lose their chats when they change devices, so they back up the chats in services like iCloud – often without realizing their backups are not encrypted. The fact that Apple was forced by the FBI to abandon encryption plans for iCloud is telling [12]. That’s one of the reasons why Telegram never relies on third-party cloud backups, and Secret Chats are never backed up anywhere.

Second, there are backdoors. Enforcement agencies are not too happy with encryption, forcing app developers to secretly plant vulnerabilities in their apps. I know that because we’ve been approached by some of them – and refused to cooperate. As a result, Telegram is banned in some countries where WhatsApp has no issues with authorities, most suspiciously in Russia and Iran [13].

Backdoors are usually camouflaged as “accidental” security flaws. In the last year alone, 12 such flaws have been found in WhatsApp. Seven of them were critical – like the one that got Jeff Bezos [14]. Some might tell you WhatsApp is still “very secure” despite having 7 backdoors exposed in the last 12 months, but that’s just statistically improbable. Telegram, an application used by hundreds of millions of people including heads of states and large companies, has had no issues of that severity in the last 6 years.

Third, there are flaws in encryption implementation. How can anybody be sure that the encryption WhatsApp claims to use is the one actually implemented in their apps? Their source code is hidden and the apps’ binaries are obfuscated, making them hard to analyze. On the contrary, Telegram apps have been open-source and its encryption fully documented since 2013. Telegram supports verifiable builds for both iOS and Android – meaning anyone can make sure the source code on GitHub and the Telegram app you download are the same thing [15]. No other messaging app is doing that for both mobile operating systems, and one might just start wondering why.

Don’t let yourself be fooled by the tech equivalent of circus magicians who’d like to focus your attention on one isolated aspect all while performing their tricks elsewhere. They want you to think about end-to-end encryption as the only thing you have to look at for privacy. The reality is much more complicated.

Some could say that, as a founder of a rival app, I may be biased when criticizing WhatsApp. Of course I am. Of course I consider Telegram Secret Chats to be significantly more secure than any competing means of communication – why else would I be developing and using Telegram?

However, the statements in this post are based on facts, not personal preference. And, just like the code of the Telegram apps, these facts are verifiable and further supported by the third-party sources below. When it comes to security, nobody should take anybody’s word for granted.